Egress Hairpinning

I run a couple servers inside my network, mostly relying on a reverse-proxy to accept connections on TCP 443 and proxy the connections to the right internal server. I don't run separate internal v. external DNS. Instead, I have a more typical setup where I define an external DNS server in eero, then the eero includes its address as the DNS server in all DHCP addresses, and forwards the requests.


As a result, though, I can't access my server by [subdomain].[domain].com while *inside* my eero network. I have to instead use DNS shortnames. This is annoying for a number of reasons. 

161replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • I really need this feature too for things in my network as I do go in AND out of my network. I'll be going back to main router with eero in bridge mode. Here is a good link for some speed tests and options. I may be trying the Linksys Velop first. https://arstechnica.com/gadgets/2017/02/linksys-velop-review-uk-mesh-wi-fi/

    Sorry eero, I tried to like these.

    Like 1
  • It seems this feature has been requested for a while and still hasn't been answered. 


    I also need need this feature as I run an IIS server at home. Yes, accessing the server using its internal IP is a workaround.


    But this doesn't work efficiently in my case because I run 3 websites in the IIS. I have to use my phone, disconnect it to eero just to be able to access the websites. 


    When can we we get this feature? This should've been part of the eero since day one, right? Most routers support this now. 

    Like 1
  • PLEASE prioritize NAT loopback. I have a home automation & security system that uses my mobile phone's geolocation info to inform the HA controller whether I am "home" or "away". My phone obviously has to be able to reach the HA controller inside my home network to update that status. However, without NAT loopback, the process of updating my home/away status is unreliable. Either I use my internal IP address, and can only notify it that I'm home, or I use my external DNS, and can update it when I leave, but am unable to notify it that I'm home if it tries to send the notification once I'm in range of my home wi-fi. This is frustrating to no end, and has me deeply regretting my Eero purchase.

    Like 3
  • These requests have only been given "lip service".   Eero has no interest of making their products to meet the very basic standard features.   I regret getting the eero units.

    Like 1
  • eltonsiu@gmail.com  The way I see it, it is up to eero whether they retain me as a customer. I've already made my feelings about the current state of the eero system known via Amazon, so I've done what I can to prevent more people from ending up in the same boat. If eero manages to fix this in the next six months, then perhaps they'll keep me as a customer. If they don't, then I can guarantee you that I'll be looking for sales on the Orbi in November.

    Like 1
  • If you can escape with a refund do so now start your return. This is not a priority in the current system. They might be working on a new router with this option and calling it their pro line who knows, but this clearly isn't a priority right now.  I selected a refund method myself.

  • This really needs to become their #1 priority. As a user, this is the only know deficiency I am aware of or experiencing. I am not seeing all the "performance issues" they supposedly keep fixing.

  • I must be one of the lucky ones then, who still has performance issues, like full signal on my device, full signal between eeros, but zero throughput. I get to enjoy that PLUS the omission of otherwise standard network management features.


  • russwittmann No chance that I would buy their "pro line" if eero chooses to fix this in their next generation product.  This is a very basic feature.  I only have myself to blame not finding this issue within the 30-day refund period.  So far, their response, or lack of, has been very disappointing.

  • What is an alternative to eero that supports loopback? I asked Google WiFi, and they don't support it as well.

  • I’m still salty that eero hasn’t addressed this problem, too, although I do somewhat understand why they don’t implement it since there is a definite security concern for NAT loopback to be enabled by default. Hopefully, though, I can spread some hope for working around this issue without buying new hardware since the eero is an otherwise amazing product. You can of course buy a separate router to use for NAT, but that’s pretty annoying. Although If you own a domain name and have a server computer in your house, preferably running Linux, you can use an internal DNS server to work around the lack of NAT loopback. Basically, what you’ll end up doing is pointing your domain to your external IP through your DNS host, then point your domain on the internal DNS server to the internal IP of whichever device you want to access on both sides of the network. Then in every configuration where you would use your IP, just use your domain instead. This is also pretty nifty since if your external IP changes, you don’t have to reconfigure anything except your domain. A few caveats are that you’ll need a different subdomain for every device in your house that you want to connect to on both sides of the network since they’ll get the same IP externally but a different IP internally. You’ll also need to use the same ports both inside and outside your house unless whatever service you’re using supports SRV records, which is pretty unlikely. And remember to go into your eero configuration and set your DNS server to the internal IP of your internal DNS server. I used the BIND DNS server with this tutorial, modifying it slightly since my house is not a data server. The basic principles are still the same though. Assuming you keep your internal DNS server up to date and don’t do anything foolish with it, I don’t see any of the additional security risks associated with NAT loopback either, but I’m certainly not a network engineer. Hopefully this helps anyone who still really likes eero but wants to do some fancy stuff with their network both inside and out!

    Like 1

  • go_robot_go You have tried isolating your modem I assume?

  • crispywisp Google WiFi supported this from day one, and I'm using Google WiFi as well.

  • CodeGrue How do you mean?

  • Google WiFi DOES support it. As does Luma and AmpliFi.

    I've stuck with my Linksys EA9500.

  • russwittmann idiot google support. I asked him specifically about NAT loopback and they said they don't have that feature supported. I did like google wifi. But the only thing I didn't like about it is that it doesn't support Class A DHCP. 

    Do you recommend Google wifi over Eero? I might go back to Google WiFi if it supports the loopback (I tried Google WiFi for half a day). It's hard to code websites running at a home server if eero doesn't support loopback. 

  • crispywisp I'm in your same boat and everything works fine for me with Google WiFI.  I will say chances of Class A DHCP Support in Google Wifi will probably come faster than nat loopback on eero. In my opinion eero is really a basic out of the box consumer product and not ready for advanced users.

  • I just placed an order for Google WiFi. I think this is a better decision to make than to wait for Eero. I'll give Google another try. Class A DHCP is not a big issue though than the loopback.

    Like 1
  • crispywisp thats the decision I had to make. this topic is 8 months old but there is other reddit that is almost year old.

    Like 1
  • Well that did it for me. I already had a [Google] OnHub. I just got 3 more pucks and moving to that. See-ya eero. I'll use you in bridge mode perhaps.

  • Just a question though. How is it that enabling a NAT loopback a security risk? I don't get it. 

  • crispywisp  When your router receives a packet addressed to your internal IP, it changes the destination to match the corresponding device on the internal network, assuming you have port forwarding set up. So here's why hairpin NAT doesn't normally work. A device with an internal IP, A, tries to use your external IP, C, to connect to a device with internal IP, B. A device A marks a packet (A->C) and sends it off to the router. The router realizes that since the packet is destined to the external IP, so it should change the destination to the corresponding device inside the network, B. So device B receives a packet (A->B). Device B then replies, so device A gets a packet (B->A). Device A freaks out because it expected a response from C but instead got a response from B. There's not really a whole lot you can do about that. The router has to NAT the packet from (A->C) to be (C->B) and then NAT the response (B->C) to (C->A). As you can see, it would have to NAT both the source and the destination, which isn't something you can easily do. Normally, you can only map the source or the destination or you lose track of what the packet is actually supposed to be. If you want that to actually work, you have to go through annoying processes of marking packets or some other convoluted system. Most implementations just mark packets. But any device on the network can mark its own packets however it wants, so whatever information is contained with the mark, any device on the network can spoof. Best case scenario, a device on the network can spoof being another host on the network to MitM your internal connections. In a worse scenario, which is more likely since implementations can never be bug free, a device on the network can probably spoof being whatever host they want, which is extremely bad news. As such, most enterprise grade hardware disables NAT loopback. For residential networks, it doesn't really matter too much, but the implementation of the feature is pretty ugly and it is somewhat of a risk, which is why eero's team might not be too fired up to work on this. Also, I'm not a network engineer so all of that could be totally wrong, but as far as I know, that's the problem. 

    Like 1
  • A lead eero engineer thinks adding this feature will allow anyone on the internet to take over control of your entire network.  Of course the reasoning is pretty far out there.  I am going with lazy.   Add a sub $100 EdgeRouter and put eero in bridge mode.  Full control over everything and anything including hairpinning. :)

    Like 1
  • I decided to go with Velop instead of Google WiFi. seems like a better choice.

  • crispywisp please let us know what you think. I have the Google hardware already so I'll try that next. But my CEO built a house recently and used Velop. I setup the wifi there. Those nodes put out a VERY strong signal. I used Ekahau heatmapper and those nodes are the strongest I've seen. Easily twice the reach before considerable dB drop. They had other issues, like their UI lacks features. That stuff will come in time I assume/hope. The Orbi looks nice due to it's dedicated channel for internal communications. Overall the UI I thought was best is Google's. I look forward to a couple years when we get one that has the best features of them all. Cheers!

Vote49 Follow
  • Status Implemented
  • 49 Votes
  • 2 yrs agoLast active
  • 161Replies
  • 11047Views
  • 66 Following

Need Help? We're here for you!

We're big on support, and we want to make sure you always have the best eero experience possible. Here are several resources you can use if you ever need our help!

Quick links

Community Guidelines

Help Center

Contact eero support